How do I track the program of the Asprotect shell encrypted? [Declaration] I wrote the article to communicate, I hope everyone can maintain the integrity of the article when reprint. [Foreword] Since the ASPROTECT shell has used a lot of anti-tracking technology, it is really a matter of time. I really worry that I have limited level and I can't understand them. But think about it, not authority, the mistake is inevitable. Since I do "technical exchange stations", don't have to ensure that each sentence is correct, nor is it a tutorial to do it. Being "communication", you should have improved in "communication", rather than I will always give everyone a hundred years of unclear scriptures like a missionarian. So I hope not only, I said, everyone said. How do you say it, everyone can have everyone's style. :-) I hope my thoughts are not dreams. Author: ljtt Writing Date: 2001-04-10 [start] you had followed ASProtect shell encrypted program do? If you talk about it, have you had such an experience? 015F: 012803D9 E3 33 C0 5A 59 59 64 89-10 68 F7 03 28 01 45 .3.zyyd..h .. (. E 015F: 012803E9 FC E8 A1 2D FF FF C3 E9-F3 29 FF FF EB F0 5f 5e ...-.....) ...._ ^ 015F: 012803F9 5B 59 5D C3 00 00 00 FF-FF FF 02 00 00 0d [Y] ......... .... 015f: 01280409 0a 00 00 55 8b EC 53 56-8B DA 8B F0 8B 45 08 8B ... u../v ..... e .. Which ernetl32! FindClose 0386? Where is Xomo know and know which Rot32 015F: bff768c6 ff5518 call [EBP 18] 015F: BFF768C9 83C410 Add ESP, 10 015F: BFF768CC 648F0500000000 Pop DWORD PTR fs: [00000000 ] 015F: BFF768D3 C9 Leave 015F: BFF768D4 C3 RET You often be brought to the FindClose's foothold as shown above, and then in the system core, it is not easy to return to the proceedings of the program. Oh, I have had such an experience. Just when I was secret, I found that I didn't have a long time and again came to the old place, fainting ... It seems that this is awkward, we may wish to start with the current stack. Look at what is found? We will undergo instructions: D ESP shows the following results: Where is Xomiyo knowing? Where is Xiyo? 0) 0167 : 0081FB10 D8 FB 81 00 D0 FC 81 00-F4 FB 81 00 B0 FB 81 00 ............... ^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I finally found a little clue.
Let's take a down instruction: D 81fbf4 shows the following results: Where is Xomiyo knowing? Where is Xiyo? What is it? 0) 0167 : 0081FBF4 1F 00 01 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0167: 0081FC04 00 00 00 00 00 00 00 00-55 01 00 00 7F 02 FF FF ........ U ... ... 0167: 0081FC14 00 00 FF FF FF FF FF FF-00 00 00 00 00 00 00 00 ......... ....... 0167: 0081FC24 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oh, just I have learned a little. SEH's knowledge, understand the Context structure, see this ... no longer hesitate ..... 81fbf4 may be a pointer to the _context structure.
Let's look at the definition of _CONTEXT structure: _CONTEXT STRUC cx_ContextFlags DD; CONTEXT_DEBUG_REGISTERS cx_Dr0 DD; 04 cx_Dr1 DD; 08 cx_Dr2 DD; 0C cx_Dr3 DD; 10 cx_Dr6 DD; 14 cx_Dr7 DD; 18; CONTEXT_FLOATING_POINT??????? cx_ControlWord DD cx_StatusWord DD cx_TagWord DD cx_ErrorOffset DD cx_ErrorSelector DD cx_DataOffset DD cx_DataSelector DD SIZE_OF_80387_REGISTERS EQU 80 cx_RegisterArea DB SIZE_OF_80387_REGISTERS DUP cx_Cr0NpxState DD??????? (?);? CONTEXT_SEGMENTS cx_SegGs DD;? 8C cx_SegFs DD;? 90 cx_SegEs DD?; 94 CX_SEGDS DD?; 98; CONTEXT_INTEGER CX_EDI DD?; 9C CX_ESI DD?; A0 CX_EBX DD?; A4 CX_EDX DD?; A8 CX_ECX DD?; AC CX_EAX DD?; B0; CONTEXT_CONTROL CX_EBP DD?; B4 CX_EIP DD?; B8 CX_SEGCS DD?; BC CX_EFLAGS DD?; C0 CX_ESP DD?; C4 CX_SEGSS DD?; c8 _Context Ends; SIZE OF CONTEXT IS 0CCH BYTES We can know that the _context structural offset B8 is saved at the EIP value.
Let's take a look at the value of 81fbf4 b8: We will undergo instructions: D 81fbf4 b8 shows the following results: Where is Xomo? Where is Xomiyo? Which PROT is 1? 0) 0167: 0081FCAC 4A FF 27 01 5F 01 00 00-46 02 00 00 D0 FC 81 00 j.'._... f ....... ^^^ ^^^^^^^^ We set up breakpoints: BPX 127FF4A then press F5 key, Suduing the program stopped at the breakpoint we set up. :-) show the following results: 015F: 0127FF4A 648F0500000000 POP DWORD PTR FS: [00000000] <--- stopped here 015F: 0127FF51 58 POP EAX 015F: 0127FF52 E84127FFFF CALL 01272698 015F: 0127FF57 A154352801 MOV EAX, [01283554] 015F : 0127FF5C 83E80D SUB EAX, 0D 015F: 0127FF5F 8B1554352801 MOV EDX, [01283554] It seems that we have mastered it. But we can't only be satisfied, let's take a look at how the program does it? I took the program soon to set this small piece of code. Since there is a flower instruction, I have done a change in the way, so that the SoftICE can display the assembly code correctly.
015F: 0127FEFB 90 NOP 015F: 0127FEFC 64FF30 PUSH DWORD PTR FS: [EAX] 015F: 0127FEFF EB01 JMP 0127FF02 015F: 0127FF01 90 NOP 015F: 0127FF02 648920 MOV FS: [EAX], ESP <--- to establish the SEH chain 015F: 0127FF05 3100 XOR [EAX], EAX 015F: 0127FF07 EB01 JMP 0127FF0A 015F: 0127FF09 90 NOP 015F: 0127FF0A 648F0500000000 POP DWORD PTR FS: [00000000] 015F: 0127FF11 EB02 JMP 0127FF15 015F: 0127FF13 90 NOP 015F: 0127FF14 90 NOP 015F: 0127FF15 58 POP EAX 015F: 0127FF16 E825000000 CALL 0127FF40 015F: 0127FF1B 8B44240C MOV EAX, [ESP 0C] <- Eax is Context Pointer 015F: 0127FF1F 8380B800000002 ADD DWORD PTR [Eax 000000B8], 02 <--- Modify Context.eip 015F: 0127FF26 51 Push ECX 015F: 0127 FF27 31c9 xor ECX, ECX <- ECX = 0 015F: 0127FF29 894804 MOV [EAX 04], ECX <--- Modify Context.dr0 = 015F: 0127FF2C 894808 MOV [EAX 08], ECX <- - Modify context.dr1 = 0 015F: 0127FF2F 89480C MOV [EAX 0C], ECX <--- Modify Context.dr2 = 015F: 0127FF32 894810 MOV [EAX 10], ECX <--- Modify context.dr3 = 0 015F: 0127FF35 C7401855010000 MOV DWORD PTR [EAX 18], 00000155 <--- Modify context.dr7 =
